A few days ago I had a problem with transaction log files on a Exchange 2010 SP2 RU1 mail server. They grown and grown and grown... I saw above 160,000 (one hundred sixty thousand !!!) files belonging to a single mailbox database. The mailbox database itself was ca. 30 GByte in size. It was then no surprise that the appropriate volume exceeded it capacity after only a couple of hours.

I wouldn't even have noticed the issue but the appropriate backup job that should flush transaction log files among other things failed and didn't run. Because of the failed backup job the transaction log files were not flashed and were not removed but grown.
But what was the reason log files grown such extremely way? I held as first spam emails or wrong-configured inbox rules responsible for the rapid growth. But I could see very soon that the amount of emails in the mailbox database increased very slowly. And sometimes I saw three thousand transaction log files were generated during 15 minutes. You may remember that one transaction log file's size is one MByte by default. Somebody wrote that an iPhone device caused the trouble like this. I had to find the device, which caused the issue, because of buggy Exchange ActriveSync protocol implementation.

I used the following tools that helped me investigating the case and founding the real problem source:

- LPS (Log Parser Studio)
and
- ExMon (Exchange User Monitor)

The first one analyzes different log files (IIS log files from the responsible CAS server in this case) and can create statistics based on the analyses. It requires "Log Parser 2.2" to be installed. The pre-defined queries are very good, I used "ActiveSync Report [Top 20]" to find the device that caused the traffic and the creation of the transaction log files:

The very big amount of Hits and Pings in the first line of the statistics indicates that the device causes a problem.

The second helpful tool comes from world of Exchange 5.5 and 2003, but it runs under Exchange 2010 as well. It died showing an exception, but it was no big thing. I had to run it as administrator. ExMon shows a very detailed statistics about the recent client access, packets, sessions and client device versions. The statistics can be saved to be analyzed later.
In my case the same device as found with LPS caused a lot of sessions and a high CPU (regarding CPU time for the store process).

After that I disabled the ActiveSync protocol for the user and a couple of minutes later the growth of transaction log files became moderate, I'd say normal. The problem was solved.

11
Kommentare :: Exchange 2010 transaction logfiles grow very fast

this was very use fullThanks a lot!

what action did you take for those users who are causing this issue... did you enable them after sometime, or did you remove the partner ship or recreated the profile or did you ask user to update their device

If a user causes an issue I'd like to find out what is the exactly reason: a buggy firmware? a buggy ActiveSync speaking app? something else? So I'll take a look at his/her smartphone. Sometimes the re-installing of the app helps. Sometimes you have to wait for an update from the manufacturer. The clear answer is: it depends ;-)

What would be a Normal value for the Hit count or Ping count? I guess my question is what values would indicate "abnormal" behavior? Is there a threshold of number that would indicate something abnormal?

We used LPS and found 1 user with some pretty abnormally high values (user was running an IOS 6.1.3 device) and they were experiencing battery drain issues (which I believe have been common issues with IOS 6 devices recently.We will continue to monitor.Is there someplace where the LPS value for Activesync for HITS, PING, SYNC and MEETINGRESPONSE values are documented? I'm trying to understand what those values mean?